Prepare for directory synchronization

This topic might not be completely applicable to users of Microsoft Azure in China. For more information about Azure service in China, see windowsazure.cn.

As an administrator, you need to do some preparation before you synchronize your local Active Directory to Microsoft Azure Active Directory (Microsoft Azure AD).

If you are deploying single sign-on, then we recommend that you set up single sign-on before you set up directory synchronization.

After you’ve set up single sign-on, verify that the following statements are true:

You have the required software.

You have set up the correct permissions.

You understand the performance considerations related to directory synchronization.

Activating directory synchronization should be considered a long-term commitment. After you have activated directory synchronization, you can only edit synchronized objects by using your on-premises Active Directory management tools. For more information, see Directory synchronization and source of authority.

All customers of Azure Active Directory and Office 365 have a default object limit of 50,000 mail-enabled objects (users, mail-enabled contacts, and groups) by default. This limit determines how many objects you can create in your tenant. Objects can be created using DirSync, Powershell or the GRAPH API.

When you verify your first domain, this object limit is automatically increased to 300,000 objects. Each tenant is only granted one increase.

Important

If you have verified a domain and need to synchronize more than 300,000 objects OR you do not have any domains to verify, and need to synchronize more than 50,000 mail-enabled objects, you will need to contact Azure Active Directory Support to request an increase to your object quota limit.

If your on-premises Active Directory has fewer than 50,000 mail-enabled objects, you can deploy directory synchronization with Microsoft SQL Server 2008 Express. However, if your on-premises Active Directory has over 50,000 mail-enabled objects, you must deploy directory synchronization with a full instance of SQL Server. The required full instances of SQL Server are Microsoft SQL Server 2008 Standard, Microsoft SQL Server 2008 R2 or Microsoft SQL Server 2012. For more information about deploying synchronization on a standalone version of SQL Server, see How to install the Directory Sync tool onto SQL Server.

This section describes the computer requirements for running the Directory Sync tool. The Directory Sync tool communicates with your domain controller servers. The default installation of the Directory Sync tool includes a version of Microsoft SQL Server 2012 Express SP1.

The directory synchronization computer must meet the following requirements:

It must run Windows Server as operating system. The following versions of the Windows Server operating system are supported:

64-bit edition of Windows Server 2008 Standard, Enterprise, or Datacenter edition with SP1 or later

Windows Server 2008 R2 Standard, Enterprise, or Datacenter edition with SP1 or later

Windows Server 2012 Standard or Datacenter

Windows Server 2012 R2 Standard or Datacenter

It must be joined to Active Directory. The computer must be joined to the Active Directory forest that you plan to synchronize. For the rich co-existence scenario, this is a requirement because the DirSync server explicitly enumerates and reaches out to all domain controllers in the forest in order to set permissions for write-back. This is not the case if you do not have Hybrid Deployment enabled. The computer also must be able to connect to all the other domain controllers for all the domains in your forest. A forest is one or more Active Directory domains that share the same class and attribute definitions, site and replication information, and forest-wide search capabilities.

It must run the Microsoft .NET Framework 3.5 SP1 and the Microsoft .NET Framework 4.5.1 If you are running Windows Server 2008, the .NET Framework will already be installed; if not, you can download it from the following locations:

It must be located in an access-controlled environment. Access to the computer that is running the Directory Sync tool should be limited to those users who have access to your Active Directory domain controllers and other sensitive network components. Only users or administrators that have the necessary permissions to make changes to domain controllers in Active Directory should have access to this computer.

Note

Support for Windows Server 2012 has been added to the server running the Directory Sync tool.

Important

You can only install one computer running the Directory Sync tool between an on-premises Active Directory and an Office 365 tenant.

When you install the Directory Sync tool, the Configuration wizard creates a service account that will be used to read from your local Active Directory and write to Azure AD. The wizard creates this account using both your local Active Directory admin permissions and your cloud admin permissions, which you provide as part of setup.

To run the Directory Sync tool, you must have administrator permissions for the following:

The first time that the Directory Sync tool runs, it copies all the relevant objects (user accounts and security groups) to Azure AD. Before performing this operation, you must know the number of objects that will be copied so that you can plan ahead for the effect this operation will have on your network response time and the computers that are running Microsoft Exchange Server.

Note

The Azure AD service supports synchronization of up to 50,000 mail-enabled objects. To synchronize more than 50,000 mail-enabled objects, contact Support.

Tip

Using Office 365? Objects that have been synchronized from your on-premises directory service appear immediately in the Global Address List (GAL); however, these objects may take up to 24 hours to appear in the Offline Address Book (OAB) and in Lync Online.

To set up directory synchronization, you must designate one computer as your directory synchronization computer, and then install the Directory Sync tool on that computer.

The performance of the Directory Sync tool is dependent on the size and complexity of the customer’s Active Directory as well as the hardware that is running the directory synchronization tool. Running the directory synchronization tool on insufficient hardware will impact the performance of the tool, resulting in increased latency or even failure to propagate on-premise data to the cloud.

In the case of Active Directory deployments with more than 50,000 mail-enabled objects, we recommend that you deploy the directory synchronization tool with a full SQL instance (a deployment of any non-SQL Express SKU such as SQL Server Standard, Enterprise or DataCenter). Customers with less than 50K mail-enabled objects may also elect to use a full SQL instance as well, however, the SQL Express installed by default with the Directory Sync tool will suffice.

The following table shows the minimum recommended hardware requirements for the directory synchronization computer in relation to how many objects you have in your on-premises Active Directory.

Various processes within the Directory Sync tool will consume hard disk space. The disk space consumed the Directory Sync tool increases based on several factors including the size and complexity of the Active Directory infrastructure that the Directory Sync tool is being synchronized from.

The Hard Disk capacities listed in the table above are estimates of the total disk space required to synchronize Active Directory for the stated sizes.

By default, the Directory Sync tool will install Microsoft SQL Server 2008 R2 Express edition. The data files are stored in the same directory as the Microsoft Online Directory Sync Product files (the path specified during installation of the Directory Sync tool – C:\Program Files\Microsoft Online Directory Sync). The location of these database files is not configurable for SQL Server 2008 R2 Express edition.

The Directory Sync tool does not mandate or require a specific hard disk configuration for customers that use an existing SQL Server Instance. However, machines with disk configurations optimized for SQL will realize better overall performance of the directory synchronization process.

To sign-in to Microsoft online services, your users must provide credentials in form of a user name and password combination. One possible format for a user name is the on-premises user principle name (UPN) attribute that is also known as user logon name. Using the on-premises UPN requires the UPN attribute to use a publically routable domain. However, there are cases where the on-premises domain is not routable. This is, for example, true for single level domains such as “.local” or “.intranet”.

One method to address this is adding an alternate UPN suffix to your Active Directory. Below, you can find instructions for how to add an alternate suffix.

You must add an alternative UPN suffix to associate the user’s corporate credentials with the Office 365 environment. A UPN suffix is the part of a UPN to the right of the @ character. UPNs that are used for single sign-on can contain letters, numbers, periods, dashes, and underscores, but no other types of characters.

If you have not yet set up Active Directory synchronization, you can skip this task and continue with the next section.

If you have already set up Active Directory synchronization, the user’s UPN for Office 365 may not match the user’s on-premises UPN defined in Active Directory. This can occur when a user was assigned a license before the domain was verified.

To remedy this issue, use Windows PowerShell to update users’ UPNs to ensure that their Office 365 UPN matches their corporate user name and domain.